Hi,

The following vulnerability was published for orthanc.

CVE-2026-10528[0]:
| A security flaw has been discovered in Orthanc DICOM Server up to
| 1.12.11. This issue affects the function DcmItem::read of the file
| OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the
| component DCMTK Parser. Performing a manipulation results in stack-
| based buffer overflow. Attacking locally is a requirement. The
| exploit has been released to the public and may be used for attacks.
| The patch is named bae99026ca97. To fix this issue, it is
| recommended to deploy a patch.

https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=258
https://orthanc.uclouvain.be/hg/orthanc/rev/bae99026ca97


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-10528
https://www.cve.org/CVERecord?id=CVE-2026-10528

Please adjust the affected versions in the BTS as needed.

Hello,

Most of this CVE is related to DCMTK, not to Orthanc, as can be seen
in the patch "dcmtk-3.7.0-max-nested-sequence.patch" that is contained
in the referred changeset:
https://orthanc.uclouvain.be/hg/orthanc/rev/bae99026ca97

An associated bug should first be filled against the Debian "dcmtk"
package, before the CVE can be fixed in the Debian "orthanc" package
itself.

The "dcmtk" package must be fixed by introducing the following upstream patch:
https://github.com/DCMTK/dcmtk/commit/885ff0f10372bd589b5f44cea974f28a3964cb0f

Regards,
Sébastien-

Hello,

Most of this CVE is related to DCMTK, not to Orthanc, as can be seen
in the patch "dcmtk-3.7.0-max-nested-sequence.patch" that is contained
in the referred changeset:
https://orthanc.uclouvain.be/hg/orthanc/rev/bae99026ca97

An associated bug should first be filled against the Debian "dcmtk"
package, before the CVE can be fixed in the Debian "orthanc" package
itself.

The "dcmtk" package must be fixed by introducing the following upstream patch:
https://github.com/DCMTK/dcmtk/commit/885ff0f10372bd589b5f44cea974f28a3964cb0f

Regards,
Sébastien-

Hi Sébastien,

Thanks for the pointer, I have begun to work on this tonight and
integrated a patch to dcmtk that had a bit of fuzz, but does not
seem to have had negative impact yet.  Changes are available on
Salsa [1].

[1]: https://salsa.debian.org/med-team/dcmtk/

I have not uploaded yet though, because I would like to tackle
appropriately the lintian error license-problem-old-unicode [2].
I fear it could be a blocker for further upload of the package
to the archive.  I don't believe I have much actionable way of
correcting that though, because I don't seem to locate
equivalent files that would have been relicensed to e.g. Unicode
license v3, apart perhaps from excluding the files (but then, I
believe that some binary artifacts below oficonv/data will lack
their "source code", so this is unlikely a satisfying approach).
Digging into the corresponding bug #854209, it seems it may be
necessary to resort to contact dcmtk upstream about those items.
I'm not sure how long it could take, perhaps I need to attempt
upload anyways to avoid delaying integration of security
patches; besides, I have another CVE correction in the pipeline.

[2]: https://udd.debian.org/lintian/?packages=dcmtk

Have a good evening,  :)